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Abstract —Nondeterminism in scheduling is the cardinal reason 
for difficulty in proving correctness of concurrent programs. 
A powerful proof strategy was recently proposed f6| to show 
the correctness of such programs. The approach captured data¬ 
flow dependencies among the instructions of an interleaved and 
error-free execution of threads. These data-flow dependencies 
were represented by an inductive data-flow graph (iDFG), which, 
in a nutshell, denotes a set of executions of the concurrent 
program that gave rise to the discovered data-flow dependencies. 
The iDFGs were further transformed in to alternative finite 
automatons (AFAs) in order to utilize efficient automata-theoretic 
tools to solve the problem. In this paper, we give a novel and 
efficient algorithm to directly construct AFAs that capture the 
data-flow dependencies in a concurrent program execution. We 
implemented the algorithm in a tool called ProofTraPar to 
prove the correctness of finite state cyclic programs under the 
sequentially consistent memory model. Our results are encour- 
anging and compare favorably to existing state-of-the-art tools. 


I. Introduction 

The problem of checking whether or not a correctness 
property (specification) is violated by the program (implemen¬ 
tation) is already known to be challenging in a sequential 
set-up, let alone when programs are implemented exploit¬ 
ing concurrency. The central reason for greater complexity 
in verification of concurrent implementations is due to the 
exponential increase in the number of executions. A concurrent 
program with n threads and k instructions per thread can 
have {nk)ll{kl)^ executions under a sequentially consistent 
(SCl lfT^ memory model. A common approach to address the 
complexity due to the exponential number of executions is 
trace partitioning. 

In |l6l, a powerful proof strategy was presented which 
utilized the notion of trace partitioning. Let us take Peterson’s 
algorithm in Figure [T] to convey the central idea behind the 
trace partitioning approach. In this algorithm, two processes. 
Pi and Pj, coordinate to achieve an exclusive access to a 
critical section (CS) using shared variables. A process Pi will 
busy-wait if Pj has expressed interest to enter its CS and t is 

j- 

In order to prove the mutual exclusion (ME) property of 
Peterson’s algorithm, we must consider the boolean conditions 
of the while loops at control locations 3 and 8. the ME property 
is established only when at most one of these conditions is 
false under every execution of the program, i.e., ME must be 


flagi = /aZse, flagj = false,t = 0; 


Pi 

While{true){ 

1. flagi :=true; 

2. t:=j; 

3. ’while(flagj = true&t = ji); 

4. //Critical Section 

5. flagi:=false; 

} 


Pi 

W hile{true){ 

6. flagj:=true; 

7. t:=i; 

8. while(flagi = true&t = i); 

9. //Critical Section 

10. flagj:=false; 

} 


Fig. 1: Peterson’s algorithm for two processes Pi and Pj 


shown to hold true on unbounded number of traces (trace is “a 
sequence of events corresponding to an interleaved execution 
of processes in the program”|]9l) generated due to unbounded 
number of unfoldings of the loops. Notice that events at control 
locations 3 and 8 are data-dependent on events from control 
locations 2,6,7 and 1,2,7, respectively. In any finite prefix 
of a trace of Pi\Pj (interleaved execution of Pi and Pj) up 
to the events corresponding to control location 3 or 8, the 
last instance of event at control location 2, lst2, and the last 
instance of event at control location 7, lst7, can be ordered 
in only one of the following two ways; either lst2 appears 
before lst7 or lst2 appears after lst7. This has resulted in 
partitioning of an unbounded set of traces to a set with mere 
two traces. 

When lst2 appears before lst7, then the final value of the 
variable t is i, thus making the condition at control location 8 
to be true. In the other case, when lst2 appears after lst7, 
the final value of the variable t is j, thereby making the 
condition at control location 3 evaluate to true. Hence, in 
no trace both the conditions are false simultaneously. This 
informal reasoning indicates that both processes can never 
simultaneously enter in their critical sections. Thus, proof of 
correctness for Peterson’s algorithm can be demonstrated by 
picking two traces, as mentioned above, from the set of infinite 
traces and proving them correct. In general, the intuition is that 
a proof for a single trace of a program can result in pruning 
of a large set of traces from consideration. To convert this 
intuition to a feasible verification method, there is a need to 
construct a formal structure from a proof of a trace a such 
that the semantics of this structure includes a set of all those 
traces that have proof arguments equivalent to proof of a. 
Inductive Data Flow Graphs (iDFG) was proposed in lb) to 
capture data-dependencies among the events of a trace and to 
perform trace partitioning. All traces that have the same iDFG 
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a. y := w 

b. r := w + 1 

c. t := X — 1 

(a) 


{abc, bac} 

(b) 

{abc, bac, acb, cab, bca, cba} 

(c) 

Fig. 2: Comparison with 0 



(d) 


must have the same proof of correctness. In every iteration of 
their approach, a trace is picked from the set of all traces that 
is yet to be covered by the IDFG. An iDFG is constructed 
from its proof. The process is repeated until all the traces are 
either covered in the IDFG or a counter-example is found. 
An intervening step is involved where the iDFG is converted 
to an alternating finite automaton (AFA). While we explain 
AFA in later sections, it suffices to understand at this stage 
that the language accepted by this AFA and the set of traces 
captured by the corresponding iDFG is the same. Their reason 
for this conversion is to leverage the use of automata-theoretic 
operations such as subtraction, complement etc., on the set of 
traces. 

Though the goal of paper 0 is verification of concurrent 
programs which is the same as in this work, our work has some 
crucial differences: (i) An AFA is constructed directly from the 
proof of a trace without requiring the iDFG construction, (ii) 
the verification procedure built on directly constructed AFA is 
shown to be sound and complete (weakest-preconditions are 
used to obtain the proof of correctness of a trace), (iii) to the 
best of our knowledge, we provide the first implementation of 
the proof strategy discussed in 0 . The example trace of Figure 
12 a) highlights the key difference between iDFG to AFA con¬ 
version of 0 and the direct approach presented in this work. 
Note that all three events a, b, and c are data independent, 
hence every resulting trace after permuting the events in abc 
also satisfies the same set of pre- and post-conditions. For a 
Hoare triple (w > 3} abc {j/>3 a t < x a r > w} , Figure 
|2b) shows the set of traces admitted by an AFA (obtained 
from iDFG shown in Figure |2d)) after the first iteration, as 
computed by 0 . This set clearly does not represent every 
permutation of abc, consequently, more iterations are required 
to converge to an AFA that represents all traces admissible 
under the same set of pre- and post-conditions. In contrast, 
the AFA that is constructed directly by our approach from the 
Hoare triple {w > 3} abc {y > 3 a t < x a r > w} , admits 
the set of traces shown in Figure |2c). Hence, on this example, 
our strategy terminates in a single iteration. 

To summarize, the contributions of this work are as follows: 

• we present a novel algorithm to directly construct an AFA 
from a proof of a sequential trace of a finite state (possibly 
cyclic) concurrent program. This construction is used to 
give a sound and complete verification procedure along 


the lines of 0. 

. While 0 allowed the use of any sequential verification 
method to construct a proof of a given trace, the paper 
does not comment on the performance and the feasibility 
of their approach due to the lack of an implementation. 
The second contribution of this paper is an implementa¬ 
tion in the form of a tool, ProofTraPar. We compare 
our implementation against other state-of-the-art tools 
in this domain, such as THREADER ifTOl and Lazy- 
CSeq HU (winners in the concurrency category of the 
software verification competitions held in 2013, 2014, and 
2015). ProofTraPar, on average, performed an order 
of magnitude better than THREADER and 3 times better 
than Lazy-CSeq. 

The paper is organized as follows: Section |II] covers the 
notations, definitions and programming model used in this 
paper; Section HI presents our approach with the help of an 
example to convey the overall idea and describes in detail 
the algorithms for constructing the proposed alternating finite 
automaton along with their correctness proofs. This section 
ends with the overall verification algorithm with the proof 
of its soundness and completeness for finite state concurrent 
programs. Section |IV] presents the experimental results and 
comparison with existing tools namely THREADER IfTOl and 
Lazy-CSeq HU. Section E presents the related work and 
Section [VTl concludes with possible future directions. 

H. Preliminaries 


A. Program Model 

We consider shared-memory concurrent programs com¬ 
posed of a fixed number of deterministic sequential processes 
and a finite set of shared variables SV. A concurrent program 
is a quadruple V = (P, A,I, D) where P is a finite set of 
processes, A = {Ap \ p 6 P} is a set of automata, one for each 
process specifying their behaviour, 22 is a finite set of constants 
appearing in the syntax of processes and I is a function from 
variables to their initial values. Each process p e P has a 
disjoint set of local variables LVp. Let Exp^ (BExp^) denote 
the set of expressions (boolean expressions), ranged over by 
exp {(/)) and constructed using shared variables, local variables, 
22, and standard mathematical operators. Each specification 
automaton Ap is a quadruple {Qp, g™**, 6p, Assrnp) where Qp 
is a finite set of control states, g™** is the initial state, and 
Assrnp £ QpXBExp^ is a relation specifying the assertions that 
must hold at some control state. Each transition in 6p is of the 
form (q,opp,q') where opp e {x:=exp, assume((;ii), lock(a:)}. 
Here x:=exp evaluates exp in the current state and assigns 
the value to x where x e SV u LVp. assume((/)) is a blocking 
operation that suspends the execution if the boolean expression 
(p evaluates to false otherwise it acts as nop. This instruction is 
used to encode control path conditions of a program. lock(a;), 
where x e SV, is a blocking operation that suspends the execu¬ 
tion if the value of x is not equal to 0 otherwise it assigns 1 to 
X. Operation unlock is achieved by assigning 0 to this shared 
variable. Each of these operations are deterministic in nature. 
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a.flagi:=true 

p. flag 2 :=true 


iQ \ 

b. turn:=2 

q. turn:=l 

Qc 

J> 
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A. assume(-'</>) 

P. ass'iime(-'(/>') 



B. assume(0) 

Q. ass'mne(0') 

Qd 
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c. res:=l 

r. res:=2 





d. ^i:=res 

s. ^ 2 ==i’es 
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e. flagi:=false 

t.flag 2 :=false 

Qe 






\ d 
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0 





Assrnpj(i3/) '^='^ (4 = 1), Assi:np^{q-u) '‘'= (4 = 2) 

dc f I dfi f 

(p = flag 2 = true ScSz turn =2,(f) = flagi = true &:&: turn = 1 

Fig. 3: Specification of Peterson’s algorithm 


i.e. execution of any two same operations from the same 
states always give the same behaviour. In all examples of this 
paper, we use symbolic labels to succinctly represent program 
operations. For example, Figure [3 shows the specification of 
two processes in Peterson’s algorithm. Labels {a,b,p,q---} 
denote operations in the program. Variable res is introduced 
to specify the mutual exclusion property as a safety property. 
A process Pi sets this variable to i inside its critical section. 
Assertions assert(res = i) is checked in Pi before leaving its 
critical section. If these assertions hold in every execution of 
these two processes then the mutual exclusion property holds. 
These assertions are shown as Assrnpj^(q/) and Assinp^{qu) 
in Figure |3] and they need to be checked at state qf and q^ 
respectively. A tuple, say t, of n elements can be represented 
as a function such that t[k] returns the element of this 
tuple. Given a function fun, fun[a <- 6] denotes another 
function same as of fun except at a where it returns b. 

a) Parallel Composition in the SC memory model: 
Given a concurrent program V = {P,A,I,T>) consisting of 
n processes P = {pi,---,Pn} we define an automaton A{V) = 
(Q; 9*™*! Assrn) to represent the parallel composition of V 
in the SC memory model. Here Q = Qp^ x ••• x Qp^ is the set 
of states ranged over by q, = {q™f* ,■■■, 9™*) is the initial 
state, and transition relation 5 models the interleaving seman¬ 
tics. Formally, {q,opj,q') € S iff there exists a j € such 

that q[j] = qp ^, q' = q[j *- q'p. ] and (qp^, opj, q'p. )^5p^. For a 
state q, let T{q) = {Assm^. (g[i]) | i 6 If T{q) is not 

empty then Assrn(g) is the conjunction of assertions in the 
set T{q). Relation Assrn captures the assertions which need 
to be checked in the interleaved traces of P. As our interest 
lies in analyzing those traces which reach those control points 
where assertions are specified, we mark all those states where 
the relation Assrn is defined as accepting states. Every word 
accepted by A{V) represents one SC execution leading to a 
control location where at least one assertion is to be checked. 


B. Weakest Precondition 

Given an operation op € OV{P) and a postcondition 
formula (p, the weakest precondition of op with respect to p, 
denoted by wp{op,(j>), is the weakest formula ip such that, 
starting from any program state s that satisfies ip, the execution 


(j) if op skip 

<?l»[x/exp] if op = x:=exp 

<p A (j)' if op a.ssert{(f)') 

Wp(op, (l)j — ' def 

wp(assume(x = 0), wp(x:=l, 0)) if op = lock(a:) 

wp(opi,wp(op2,0)) if op^=^ opi.op2 

(j)' => (f) if op = assume(0') 

Fig. 4: Weakest precondition axioms 

of the operation op terminates and the resulting program state 
s' satisfies p. 

Given a formula (p, variable X and expression e, let 
^[X/e] denote the formula obtained after substituting all free 
occurrences of X by e in (p. We assume an equality operator 
over formulae that represents syntactic equality. Every formula 
is assumed to be normalized in a conjunctive normal form 
(CNE). We use true (false) to syntactically represent a logically 
valid (unsatisfiable) formula. Weakest precondition axioms for 
different program statements are shown in Eigure |4] Here 
empty sequence of statements is denote by skip. We have the 
following properties about weakest preconditions. 

Property 1: If wp(op, ^i) = ipi and ■wp(op,p 2 ) = V '2 then, 

• Vp{op,pi A P 2 ) = tpl A 1p2, dxvd 

• wp{op,pi V P 2 ) = V'l ^ V' 2 - Note that this property 
holds only when S' is a deterministic operation which is 
true in our programming model. 

Property 2: Let pi and (p 2 be the formulas such that pi 
logically implies (p 2 then for every operation op, the formula 
wp(op,0i) logically implies wp(op, 

We say that a formula <p is stable with respect to a statement 
S if wp(S, p) is logically equivalent to p. In this paper, we use 
weakest preconditions to check the correctness of a trace with 
respect to some safety assertion. A trace a reaching up to a 
safety assertion p is safe if the execution of a starting from the 
initial state I either 1) blocks (does not terminate) because of 
not satisfying some path conditions, or 2) terminates and the 
resulting state satisfies p. The following lemmas clearly define 
the conditions, using weakest precondition axioms, for declar¬ 
ing a trace a either safe or unsafe. Detailed proofs of these 
are given in Appendix lAl and in m Here cr[assume/assert] 
denote the trace obtained by replacing every instruction of the 
form assume(0) by assert(^) in a. 

Lemma 1: Eor a trace a, an initial program state X and 
a safety property p, if wp(tT[assume/assert],- 1 ^) a I is 
unsatisfiable then the execution of a, starting from I, either 
does not terminate or terminates in a state satisfying p. 

Lemma 2: Eor a trace a, an initial program state X and 
a safety property p, if wp(cr[assume/assert], a I is 
satisfiable then the execution of cr, starting from X, terminates 
in a state not satisfying p. 

C. Alternating Finite Automata (AFA) 

Alternating finite automata m, 13 are a generalization of 
nondeterministic finite automata (NEA). An NEA is a five tuple 
{S,T,u{e},S,SQ, Sf) with a set of states S, ranged over by s, 
an initial state sqj ^ set of accepting states Sp and a transition 
function <5: 5'xEu{e} ^ P(S'). Eor any state s of this NEA, the 
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set of words accepted by s is inductively defined as acc(s) = 
{a.(T I a e S u {e},cr e S*, 3s'. s' e <5(s,a). a e acc(s')} 
where e e acc(s) for all s e Sp- Here, the existential quantifier 
represents the fact that there should exist at least one outgoing 
transition from s along which a.a gets accepted. An AFA is 
a six tuple (S'v, S'a, S u {e}, 5, sq, S'f) with S, sq and S'f £ S' 
denoting the alphabet, initial state and the set of accepting 
states respectively. S = Sv U Sa is the set of all states, ranged 
over by s and S ■ S x Su {e} P(S) is the transition function. 
The set of words accepted by a state of an AFA depends on 
whether that state is an existential state (from the set S 3 ) or 
a universal state (from the set Sv). For an existential state 
s e S 3 , the set of accepted words is inductively defined in 
the same way as in NFA. For a universal state s e S\/ the 
set of accepted words are acc(s) = {o.cr | a e E u {e}, Vs' e 
S{s,a). a e acc(s')} with e £ acc(s) for all s e Sp- Notice 
the change in the quantifier from 3 to V. In the diagrams of 
AFA used in this paper, we annotate universal states with V 
symbol and existential states with 3 symbol. For a state s, let 
succ(s,a) = {S I {s,a,S) e 5} be the set of a-successors of 
s. For an automaton A, let C{A) be the language accepted by 
the initial state of that automaton. For any cr 6 E* \a\ denote 
the length of a and rev((T) denote the reverse of a. 

III. Our Approach 

The overall approach of this paper can be described in the 
following steps: (i) Given a concurrent program V, construct 
all its interleaved traces represented by automaton A{V), as 
defined in Subsection III-Al (ii) Pick a trace a and a safety 
property, say (j), to prove for this trace; (iii) Prove cr correct 
with respect to (p using Lemma [T] and Lemma |2] and generate 
a set of traces which are also provably correct. Let us call this 
set Tr'; (iv) Remove set Tr' from the set of traces represented 
by A{V) and repeat from Step (ii) until either all the traces 
in V are proved correct or an erroneous trace is found. 

Step (iii) of this procedure, correctness of a, can be achieved 
by checking the unsatisfiability of wp((T[assume/assert], 
A I. However, we are not only interested in checking the 
correctness of a but also in constructing a set of traces which 
have a similar reasoning as of a. Therefore, instead of com¬ 
puting wp(cr[assume/assert],directly from the weakest 
precondition axioms of Figure |4] we construct an AFA from 
a and Step (iv) is then achieved by applying automata- 
theoretic operations such as complementation and subtraction 
on this AFA. Notion of universal and existential states of 
AFA helps us in finding a set of sufficient dependencies used 
in the weakest precondition computation so that any other 
trace satisfying those dependencies gets captured by AFA. 
Subsequent subsections covers the construction, properties and 
use of this AFA in detail. 

A. Constructing the AFA from a Trace and a Formula 

Definition 1: An AFA constructed from a 
trace cr of a Program P and a formula is 
= {5'v,S'a,07^e,so,5'F,i5,AMap,RMap), where. 


6(s, op) = 






{} 


if 


if 


l.AMap(s') = wp(op[assuiiie/assert], AMap(s)), 

2.S is an existential state, and 
3.RMap(s) = RMap(s').op.<7" 
where cr" is the longest sequence s.t. 
wp(cr"[assume/assert], AMap(s)) = AMap(s) 
(Literal-Assn) 

l.AMap(s) = wp(op[assuiQe/assert],AMap(s)), and 
2.S is an existential state 

(Literal-Self-Assn) 


I l.AMap(s) = Afc 4>k or AMap(s) = V* 
2.AMap(sfc) = 

3.VA:, RMap(s) = RMap(sfc), 

4.op = e 

(COMPOUND-ASSN) 


Otherwise 


Fig. 5: Transition function used in the Definition ^ 


1) {OVe = OV u {e}) is the alphabet ranged over by op. 
Here OV is the set of instructions used in program P. 
Symbol e acts as an identity element of concatenation 
and wp(e, = fi. 

2) S = SvU S 3 is the largest set of states, ranged over by 
s s.t. 

a) Every state is annotated with a formula and a prefix 
of a denoted by AMap(s) and RMap(s) respectively. 
State So is the initial state such that AMap(so) = (p, 
RMap(so) = cr. 

b) s' e S iff either of the following two conditions 
hold, 

• 3s € S such that AMap(s') is 
wp(op[assume/assert], AMap(s)), 

RMap(s) = RMap(s').op.cr' and cr' is the largest 
suffix of RMap(s) such that formula AMap(s) is 
stable with respect to cr'[assume/assert]. 

• 3s e S' such that AMap(s) = A{pi,---,pk} or 
AMap(s) = \/{pi,---,pk}, RMap(s) = RMap(s'), 
AMap(s') = p' and p' e {pi,---,pk}. 

c) A state s e S is an existential state (universal state) 
iff AMap(s) is a literal (compound formula). 

3) Sf £ S is a set of accepting states such that s € 
Sp iff wp(RMap(s)[assume/assert], AMap(s)) is same 
as AMap(s), i.e. AMap(s) is stable with respect to 
RMap(s)[assume/assert], and 

4) Function 5 '.Sx-OV is defined in Figure |5] 
Following Point 1^ any state added to S is either annotated 
with a smaller RMap or a smaller formula compared to the 
states already present in S. Further, every formula and trace 
cr is of finite length. Hence the set of states S is finite. By 
Point |2^ of this construction, a state s where AMap(s) is a 
compound formula, is always a universal state irrespective of 
whether AMap(s) is a conjunction or a disjunction of clauses. 
The reason behind this decision will be clear shortly when 
we will use this AFA to inductively construct the weakest 
precondition wp(cr[assume/assert], Note that we assume 
every formula is normalized in CNF. 

Figure [T] shows an example trace cr = abApqPrcs of 
Peterson’s algorithm. This trace is picked from the Peterson’s 
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S\{a, e,A,P} S \ {p, t, A,P} 



a. flagi:=true 

b. turn:=2 


A. assuine( 

p. flag 2 :=true 

q. turn:=l 


P. assuiiie( 

r. res:=2 
c. res:=l 

s. ^ 2 ‘=res 


flag 2 = false 


turn = 1 


flagi = false 
II turn = 2 


) 

) 


Fig. 6: AFA of trace given in Figure [^b) and 0 = ->(£2 = 2) 


Fig. 7: A trace from Peterson’s algorithm 


specification in Figure [3] To prove a correct with respect to the 
safety formula (p = (£2 = 2) we first construct Aa,^<p which 
will later help us to derive wp(cr[assume/assert],-.0). This 
AFA is shown in Figure For a state s, AMap(s) is written 
inside the rectangle representing that state and RMap(s) is 
written inside an ellipse next to that state. We show here some 
of the steps illustrating this construction. 

1) By Definition [1] we have AMap(so) = - 1(^2 = 2) and 
RMap(so) = <J = abApqPrcs for initial state sq. 

2) In a transition S{s,op) = {s'} created by Rule 
ILlTERAL-AsSNi the State s' is annotated with the weak¬ 
est precondition of an operation op, taken from RMap(s), 
with respect to AMap(s). Operation op is picked in 
such a way that AMap(s) is stable with respect to 
every other operation present after op in RMap(s). 
Such transitions capture the inductive construction of 
the weakest precondition for a given </> and trace a. 
Transition 5 (so, s) = {si} in Figure |6] is created by this 
rule as wp(s[assume/assert],AMap(so)) = AMap(si), 
and RMap(so) = RMap(si).s. 

3) In any transition created by Rule ICOMPOUND-ASSJ^ 
say from s to si,'",Sfc, the states si,-"Sfe are annotated 
with the subformulae of AMap(s). For example, transi¬ 
tions ^(S 3 ,e) = {S 4 ,S 5 } and 5{sr,e) = jssjSg). 

4) Transition (5(s8,a) = {S 12 } follows from the rule 
ILiteral-AssnI Note that RMap(si 2 ) is empty and 
hence by Point |3] of Definition [T] S 12 is an accepting 
state. Following the same reasoning, states sq, siq and 
Si 3 are also set as accepting states. 

5 ) Rule ILiteral-Sele-AssnI adds a self transition at a 
state s on a symbol op e OVe such that AMap(s) is sta¬ 
ble with respect to op[assume/assert]. For example, 
transitions 6 {so,op) = {sq} where op e OVe ^ {s,A,P}. 

The following lemma relates RMap(s) at any state to the set 
of words accepted by s in this AFA. 

Lemma 3: Given a cr € C{A{V)) and </>, let Aa^tf, be the 
AFA satisfying Definition [T] For every state s of this AFA, 
the condition rev(RMap(s)) e acc(s) holds. 

A detailed proof of this lemma is given in Appendix |C] This 
lemma uses the reverse of RMap(s) in its statement because 


HMap(s) = 

^ AMap(.s) if s e 5 f 

(Base-case) 

/\HMap(sfc) if (5 (s, 6) = and AMap(s) = /\AMap(sfc) 

k k 

■ (CONJ-CASE) 

V HMap(si;) if (5(s, e) = {si, •••, Sfc} and AMap(s) = \/ AMap(sj;) 
k k 

(Disj-case) 

. HMap(s^) if (s, op, {s^}) e (5 

(Lit-case) 

Eig. 8: Rules for HMap construction 

the weakest precondition of a sequence is constructed by 
scanning it from the end. This can be seen in the transition 
rule ILiteral-AssnI As a corollary, rev((T) is also accepted 
by this AFA because by Definition [T] RMap(so) is cr. | 

B. Constructing the weakest precondition from Aa-,^, 

After constructing Aa,,p the rules given in Figure 0 are used 
to inductively construct and assign a formula, HMap(s), to 
every state s of Aa, 4 >- Figure 0 shows the AFA of Figure 
|6] where states are annotated with formula HMap(s). This 
formula is shown in the ellipse beside every state. For better 
readability we do not show RMap(s) in this figure. 

Following Rule IBase-CASEI HMap of S6,si2, and S13 
are set to false whereas HMap(sio) is set to flag2 = false. 
By Rule ILit-CASEI HMap of S5,S8 and Sn are also set to 
false. After applying Rule lDiSJ-CASEl for transition 5(s9,e) = 
{siOjSii}, HMap(sg) is set to flagg = false. Similarly, using 
Rule lCONJ-CASEl we get HMap(s7) as false. Finally, HMap(so) 
is also set to false. HMap constructed inductively in this manner 
satisfies the following property; 

Lemma 4: Let A be an AFA constructed from a trace and a 
post condition as in Definition [T] then for every state s of this 
AFA and for every word a accepted by state s, HMap(s) is log¬ 
ically equivalent to wp(rev(cr)[assume/assert], AMap(s)). 
Here we present the proof outline. Detailed proof is given 
in Appendix |El First consider the accepting states of A. 
For example, states sg, sig, S12 and S13 of Figure 0 
Following the definition of an accepting state and by the 
self-loop adding transition rule ILiteral-Sele-AssnI ev- 
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Algorithm 1: Converting universal to existential states while 
preserving Lemma |4] 

Data: Input AFA u {e},so,iS'F, AMap.RMap) 

Result: Modified AFA 

1 Let s be a state in AFA such that s € 5v, 

<5(s,e) = {si,-",Sfc}, HMap(s) is unsatisfiable, and 
AMap(s) = Afc AMap(s/b); 

2 Let Uiisatcore(s) c P(|s 2 , •”? Sfc}) such that 

{s'l, sjj} e UrLsatcore(s) iff {HMap(si).*”,HMap(sJj^)} 
is a minimal unsat core of Afc HI^£ip('Sfc) i 

3 Create an empty set U; 

4 foreach {sj, •••, e Uiisatcore(s) do 

5 create a new universal state Su ^ 5v and add it to the 
set U; 

6 Set AMap(su) = Ai AMap(s') ; 

7 Set HMap(su) = AiHMap(s'); 

8 Add a transition by setting (5(su,e) = 

9 end 

10 Remove transition (5(s, e) = {si, •••, s*}; 

11 Convert s to an existential state; 

12 Add a transition from s on e by setting (5(s, e) = U where U 
is the set of universal states created one for each element 
of Unsatcore(s); 


Fig. 9: HMap construction for the running example 

ery word cr accepted by such an accepting state s satisfies 
wp(rev((T)[assume/assert],AMap(s)) = AMap(s). There¬ 
fore, setting HMap(s) as AMap(s) for these accepting states, as 
done in Rule IBase-CASEI completes the proof for accepting 
states. 

Now consider a state s with transition 6 {s, e) = {si, •••, s^}, 
created using Rule ICOMPOUND-Ass>n and let ct be a word 
accepted by s. By construction, s must be a universal state 
and hence a must be accepted by each of si,---,Sk as well. 
Using this lemma inductively on successor states si, •••, Sk (in¬ 
duction on the formula size) we get wp(tT[assume/assert], 
AMap(si)) = HMap(si) for all i e Now we 

can apply Property [T] depending on whether AMap(s) is 
a conjunction or a disjunction of AMap(sfe). By replacing 
AMap(s) with Vfe AMap(sfc)(Afc AMap(sfe)) and HMap(s) with 
Vfc HMap(sfc)(Afc HMap(sfc)) completes the proof. Note that, 
making s as a universal state when AMap(s) is either a 
conjunction or a disjunction allowed us to use Property [T] in 
this proof. Otherwise, if we make s an existential state when 
AMap(s) is a disjunction of formulae then we can not prove 
this lemma for states where HMap(s) is constructed using Rule 
IDisj-caseI I 

This lemma serves two purposes. First, it checks the cor¬ 
rectness of a trace a w.r.t. a safety property for which this AFA 
was constructed. If HMap(so) a I is unsatisfiable, as in our 
Peterson’s example trace, then a is declared as correct. Second, 
it guarantees that every trace accepted by this AFA, that is 
present in the set of all traces of V, is also safe and hence we 
can skip proving their correctness altogether. Removing such 
traces is equivalent to subtracting the language of this AFA 
from the language representing the set of all traces. Then a 
natural question to ask is if we can increase the set of accepted 
words of this AFA while preserving Lemma |4] 


C. Enlarging the set of words accepted by Aa,4> 

Converting Universal States to Existential States Figure 
[TOl shows an example trace a = abcde obtained from the 
parallel composition of some program P. Figure [TT] shows the 
AFA constructed for a and f as S <t a z < x. From Lemma 
|4] we get wp((T, 0) as false. Note that the wp{a,S<t) and 
wp(cr, z < x) are unsatisfiable, i.e. we have two ways to derive 
the unsatisfiability of wp(cr, <)); one is due to the operation d, 
and the other is due to the operation a followed by operation 
e. In this example, any word that enforces either of these 
two ways will derive false as the weakest precondition. For 
example, the sequence ct' = adcbe is not accepted by the 
AFA of Figure [TT] but the condition wp(rev(CT'),-i()) = false 
follows from wp(d,-i(^) = false which is already captured in 
the AFA of Figure [TT] Note that states si and S 2 in Figure 
nn are annotated with unsatisfiable HMap assertion. It seems 
sufficient to take any one of these branches to argue the 
unsatisfiability of HMap(so) because HMap(so), by definition, 
is a conjunction of HMap(si) and HMap(s 2 )- Therefore, if we 
convert sq, a universal state, to an existential state then the 
modified AFA will accept adcbe. Let us look at Algorithm [T] 
to see the steps involved in this transformation. This algorithm 
picks a universal state s such that AMap(s) is a conjunction 
of clauses and only a subset of its successors are sufficient to 
make HMap(s) unsatisfiable. State sq of Figure [TT] is one such 
state. For each such minimal subsets of its successors, this 
algorithm creates a universal state, as shown in Line [5] of this 
algorithm. It is easy to see that HMap( Sii) is also unsatisfiable. 
Before adding S{su,e) = {si, "•! transition in AFA this 
algorithm sets AMap(su) as AiAMap(s'). By construction, 
every word accepted by Su must be accepted by 
Each of these states •••, satisfy Lemma [4] Hence Lemma 

[4] continues to hold for these newly created universal states as 
well. Now consider a newly created transition (s, e,U) in Line 
[T2] For any state s" € U, AMap(s) logically implies AMap(s") 
because s" represents a subset of the original successors 
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a. Y:=x + 1 

b. W:=t 
C. z:=w 

d. S:=t + 1 

e. z:=Y 

Fig. 10: Example Trace 



Fig. 11: AFA for a given in Figure [To] Fig. 12: AFA of Figure HI after Modification 


5(s, op) = op) u {s'} iff 

r HMap(s) and HMap(s') are unsatisfiable, 

(s) is a literal, and 

op[assume/assert]AMap(s) => Aiyiap(s') 

(Rule-Unsat) 

' OR 

HMap(s) and HMap(s’) are valid 
(s) is a literal, and 

, (s') => wp(op[assuine/assert], AMap(s)) 

(Rule-Valid) 

Fig. 13: Rules for adding more edges 


of s, viz. As s is now an existential state, any 

word accepted by s, say a', is accepted by at least one 
state in U, say s'. Using Lemma |4] on s', HMap(s') is logi¬ 
cally equivalent to wp(rev(cr')[assume/assert],AMap(s')). 
Using unsatisfiability of HMap(s) and HMap(s') and the 
monotonicity property of the weakest precondition. Prop¬ 
erty |2] we get that HMap(s) is logically equivalent to 
wp(rev((T')[assume/assert],AMap(s)). This transformation 
is formally proved correct in Appendix |E] 

Adding More transitions to Acr,4, using the Monotonicity 
Property of the Weakest Precondition We further modify 
Aa, 4 , by adding more transitions. For any two states s and 
s' such that AMap(s) and AMap(s') are literals, both HMap(s) 
and HMap(s') are unsatisfiable, and there exists a symbol a 
(can be e as well) such that wp(a[assume/assert], AMap(s)) 
logically implies AMap(s'), an edge labeled a is added from s 
to s'. This transformation also preserves Lemma |4] following 
the same monotonicity property. Property |2] used in the pre¬ 
vious transformation. Similar argument holds when HMap(s) 
andHMap(s') are valid andAMap(s') => wp(a, AMap(s)) holds. 
The rules of adding edges are shown in Figure [T3] 

Figure [12] shows the AFA of Figure |9] modified by above 
transformations. Rule IRule-UnsatI adds an edge from S 4 
to sg on symbol e because HMap(s 4 ) and HMap(s 8 ) are 
unsatisfiable and wp(e, AMap(s 4 )) logically implies AMap(s 8 )- 
Same rule also adds a self loop at sg on operation P and a 
self loop at S 2 on operation A. Transformation by Algorithm 


Algorithm 2: Algorithm to check the safety assertions of 
a concurrent program P 


Input: A concurrent program V = {pi, •••,Pn} with safety 
property map Assrn 

Result: yes, if program is safe else a counterexample 

1 Let A{V) bet the automaton that represents the set of all 
the SC executions of P (as defined in Section HD; 

2 Set tmp := C{A{P)); 

3 while tmp is not empty do 

4 Let (7 € tmp with 0 as a safety assertion to be 
checked; 

5 Let Aa,^(j} be the AFA constructed from a and ->(!) ; 

6 ifX A HMap(so) is satisfiable then 

1 cr is a valid counterexample violating 0; 

8 return {cry, 


9 

10 

11 

12 

13 

14 


else 

Let A' be the AFA modified by proposed 

transformations; 

tmp := tmp \ Rev, where 

Rev = {rev(cr) | cr e C{A')]', 

end 

end 

return (yes); 


(Tj removes the transition from sy to sg and all other states 
reachable from sg. Now consider a trace rev(abpqPArcs) 
that is accepted by this modified AFA in Figure [T2| but was 
not accepted by the original AFA of Figure |3 Note that 
wp(abpqPArcs, ^(£2 = 2)) is unsatisfiable and this is a direct 
consequence of Lemma |4| Because of the transformations 
presented in this sub-section we do not need to reason about 
this trace separately. This transformation is formally proved 
correct in Appendix |F| 


D. Putting All Things Together For Safety Verification 

In Algorithm |2| all the above steps are combined to check 
if all the SC executions of a concurrent program P satisfy the 
safety properties specified as assertions. Proof of the following 
theorem is given in Appendix [^ 

Theorem 1: Let P = {pi,-",Pn) be a finite state pro¬ 
gram (with or without loops) with associated assertion maps 
Assrup.. All assertions of this program hold iff Algorithm |2| 
returns yes. If the algorithm returns a word cr then at least 
one assertion fails in the execution of tr. 
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Program 

ProofTraPar 

threaderIToI 

Lazy-CSeqUU 

Peterson.safe 

0.3 

3.2 

3.1 

Dekker.safe 

1.1 

1.7 

4.2 

Lamport.safe 

2.4 

47 

5.1 

Szymanksi.safe 

3 

12.8 

4 

Time VarMutex.safe 

0.76 

8.56 

4.2 

RWLock.safe (2R+2W) 

8.8 

140 

6.7 

RWLock.unsafe (2R+2W) 

3.8 

153 

0.7 

Qrcu.safe (2R+1W) 

20 

- 

41 

Qrcu.unsafe (2R+1W) 

13.8 

76 

1.1 


Fig. 14: Comparison with THREADER^], and Lazy-CSeq 1111 (Time in seconds) 


IV. Experimental Evaluation 

We implemented our approach in a prototype tool, 
ProofTraPar. This tool reads the input program written 
in a custom format. In future, we plan to use off-the-shelf 
parsers such as CIL or LLVM to remove this dependency. 
Individual processes are represented using hnite state au¬ 
tomata. We use an automata library, libEAUDES Q to carry 
out operations on automata. As this library does not provide 
operations on AEA, mainly complementation and intersection, 
we implemented them in our tool. After constructing the AEA 
from a trace we hrst remove e transitions from this AEA. 
This is followed by adding additional edges in AEA using 
proposed transformations. Instead of reversing this AEA (as 
in Line [TT] of Algorithm |2]l we subtract it with an NEA that 
represents the reversed language of the set of all traces. This 
avoids the need of reversing an AEA. Note that we do not 
convert our AEA to NEA but rather carry out intersection and 
complementation operations (needed for language subtraction 
operation) directly on AEA. Our tool uses the Z3 0 theorem 
prover to check the validity of formulae during AEA con¬ 
struction. ProofTraPar can be accessed from the repository 
https ://github. com/chinuhub/ProofTraPar. git 

Eigure M tabulates the result of verifying pthread- 
atomic category of SV-COMP benchmarks using our tool, 
THREADER ifTOl and Lazy-CSeq ifTTI . These tools were 
the winners in the concurrency category of the software 
verihcation competition of 2013 (THREADER), 2014 and 
2015 (Lazy-CSeq). Dash (-) denotes that the tool did not 
hnish the analysis within 15 minutes. Numbers in bold text 
denote the best time of that experiment. Safe/Unsafe versions 
of these programs are labeled with .safe!.unsafe. Except on 
Reader-Writer Lock and on unsafe version of QRCU(Quick 
Read Copy Update), our tool performed better than the other 
two tools. On unsafe versions, our approach took more time 
to hnd out an erroneous trace as compared to Lazy-CSeq 
ifTTi . Context-bounded exploration by Lazy-CSeq ifTTll and the 
presence of bugs at a shallow depth seem to be a possible rea¬ 
son behind this performance difference. Introducing priorities 
while picking traces in order to make our approach efficient 
in bug-hnding is left open for future work. 

V. Related Work 

Verifying the safety properties of a concurrent program 
is a well studied area. Automated verihcation tools which 
use model checking based approaches employ optimizations 
such as Partial Order Reductions (POR) ifT^ . El, EJ to 


handle larger number of interleavings. These optimizations 
also selectively check a representative set of traces among the 
set of all interleavings. POR based methods were traditionally 
used in bug hnding but recently they have been extended 
efficiently, using abstraction and interpolants, for proving 
programs correct m. The technique presented in this paper, 
using AEA, can possibly be used to keep track of partial orders 
in POR based methods. In ifTSll . a formalism called concurrent 
trace program (CTP) is dehned to capture a set of interleavings 
corresponding to a concurrent trace. CTP captures the partial 
orders encoded in that trace. Corresponding to a CTP, a 
formula fctp is dehned such that fctp is satishable iff there is 
a feasible linearization of the partial orders encoded in CTP 
that violates the given property. Our AEA is also constructed 
from a trace but unlike CTP it only captures those different 
interleavings which guarantee the same proof outline. Recently 
in E], a formalism called HB-formula has been proposed 
to capture the set of happens-before relations in a set of 
executions. This relation is then used for multiple tasks such as 
synchronization synthesis|l2l, bug summarization and predicate 
rehnement. Since the AEA constructed by our algorithm can 
also be represented as a boolean formula (universal states 
correspond to conjunction and existential states correspond 
to disjunction) that encodes the ordering relations among the 
participating events, it will be interesting to explore other 
usages of this AEA along the lines of 13 . 

VI. Conclusion and Euture Work 

We presented a trace partitioning based approach for ver¬ 
ifying safety properties of a concurrent program. To this 
end, we introduced a novel construction of an alternating 
hnite automaton to capture the proof of correctness of a 
trace in a program. We also presented an implementation of 
our algorithm which compared competitively with existing 
state-of-the-art tools. We plan to extend this approach for 
parameterized programs and programs under relaxed memory 
models. We also plan to investigate the use of interpolants 
with weakest precondition axioms to incorporate abstraction 
for handling inhnite state programs. 
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Appendix 

A. Proof of Lemma |7] 

We prove it by induction on n. 

1) Base case \cr\ = 0: If \cr\ = 0 then wp(cr[assume/assert], 

= -10. If -10 A I is unsatisfiable then I satisfies 0. 
Hence proved. 

2) Induction step, \a\ = n + 1: Let a = a’.a. If 

wp(CT'.a[assume/assert], -10) A I is unsatisfiable then 
following cases can happen based on a. 

m a : X := i?:-If wp(CT'.a[assume/assert],-10) A I 
is unsatisfiable then wp(tT'[assume/assert], 

wp(a,-i0)) A I is also unsatisfiable. By 

substituting wp(a,-i0) with -i0[E/x] we get 
that wp(CT'[assume/assert], -i0[E/x]) a I is 
unsatisfiable. Using IH on a' it implies that after 
executing a' from I the resultant state either does 
not terminate or terminates in a state satisfying 
0[E/x]. If a' does not terminate then so does the 
execuction of cr starting from I. If cr' terminates in 
a state satisfying 0[E/x] then by the definition of 
the weakest precondition, execution of a from this 
state will satisfy 0. Hence proved. 

• a ■ assume(0'):-lf wp((T'.a[assume/assert], 

-10) A I is unsatisfiable then 

wp(tT'[assume/assert],wp(a,-10)) A I is 
also unsatisfiable. By substituting wp(a, -i0) with 
0' A -10 we get that wp(cr'[assume/assert], 
0' A -10) A I is unsatisfiable. Using IH on a' it 
implies that after executing cr' from I the resultant 
state either does not terminate or terminates in a 
state satisfying -i0 v 0'. If a' does not terminate 
then the execution of a from I does not terminate 
as well. If a' terminates in a state satisfying -i0 
then the execution of a blocks and hence the 
execution of a does not terminate. If a' terminates 
in a state satisfying 0' but -i0 does not hold then 
0 A 0' must hold. Execution of assume(0') acts as 
nop instruction and the resultant state satisfies 0. 
hence proved. 

• a : lock(x);- As weakest precondition of lock(x) 
is obtained from the weakest precondition of as¬ 
signment and assume instruction hence the similar 
reasoning works for this case. 

B. Proof of Lemma \2} 

Proof: Let us prove it by induction on the length of cr. 

1) Base case, |cr| = 0: When the length of ct is 0 and I a -i0 
is satisfiable then I does not satisfy 0. Hence proved. 

2) Induction Step, \a\ = n + 1: Let cr = a'.a. Following case 
can happen based on the type of a. 

m a : X := E:- If wp(CT[assume/assert], 

-10) A I is satisfiable then wp(cr'[assume/assert], 
wp(a,-i0)) A X is also satisfiable. By sub¬ 
stituting wp(a,-i0) = -i0[E/x] we get that 
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wp(tT'[assume/assert],- i(/)[E/x]) a I is satisfi- 
able. By IH on u', execution of a' from X terminates 
in a state not satisfying 0[E/x]. By definition of 
the weakest precondition, the state reached after 
executing a from this state does not satisfy (j). Hence 
proved. 

• a : assume((/)'):-If wp(tT[assume/assert], 

- 1 ^) A I is satisfiable then wp(tT'[assume/assert], 
wp(assume(^')[assume/assert],- 10 )) A X 
is also satisfiable. By substituting 
wp(assume(0')[assume/assert],- 10 ) = 0' A -i0 
we get that wp(tT'[assume/assert], 
-i(-i0' V 0)) A I is satisfiable. By IH on 
cr', execution of a' from X terminates in a state 
not satisfying -i0' v 0. In other words, 0' and 
-10 holds in the state reached after executing a' 
from X. Therefore, after executing assume(0'), the 
resultant state satisfies -i 0 and hence proved. 

• a : lock(a;):-Similar to the combination of above 
two cases. 


C. Proof of Lemma |5] 

Proof: We use induction for this proof. Let us use the 
following ordering on the states of Aaf- For any two states s 
and s', s < s' if |RMap(s)| < |RMap(s')| or if lengths are same 
then AMap(s) is a sub formula of AMap(s'). Any two states 
which are not related by this order, put them in any order to 
make < as a total order. It is clear that the smallest state in 
this total order must be one of the accepting state. Now we 
are ready to proceed by induction using this total order. 

. Base case; For every accepting state s e Sp, by Point [3 
of Definition[T] the condition wp(op, AMap(s)) = AMap(s) 
holds for every op € f>C(RMap(s)). Further, By transition 
rule ILiteral-Self- Assn] of this AFA, a self transition 
must be there for all such op € f£(RMap(s)) and hence 
the condition rev(RMap(s)) € acc(s) holds (because 
these transitions can be taken in any order to construct 
the required word). 

• Induction step; Following possibilities exist for the state 

s, 

- s is a universal state; By construction, there should 

be states such that (s,e,{si,•••,Sfc}) is a 

transition. By our induction ordering, are 

smaller than s and hence we apply IH on them to 
get that rev(RMap(si)) € acc(si) for i e 
However, by the transition rule ICOMPOUND-Asst^ 
RMap(s) = RMap(si) = = RMap(sfe) and hence 

rev(RMap(s) 6 acc(si) for i € By the 

definition of acc(s) for a universal state, acc(s) is 
intersection of the sets acc(si) for i € and 

hence we get the required result, viz. rev(RMap(s)) € 
acc(s). 

- s is an existential state; If s is an accepting state then 
Base case holds here. Consider the case when s is not 


an accepting state. It should have a successor state 
s' such that (s,op, {s'}) is a transition. By transi¬ 
tion rule[L|TERAL2Ass^RMap(s) = RMap(s').op.a" 
such that wp(cr"[assume/assert], AMap(s)) 
AMap(s). By transition rule [Literal-Self- AssnI 
s will have self loop transitions on all symbols in 
a"(*). Applying IH on s' gives that rev(RMap(s')) € 
acc(s')(#). Because of the transition (s,op, {s'}), 
op.acc(s') £ acc(s). This along with (#) gives 
us op.rev(RMap(s')) € acc(s)(**). Rearranging this 
and using (*) we get rev(RMap(s').op.CT") € acc(s) 
or equivalently rev(RMap(s)) e acc(s). Hence 
proved. 

■ 

D. Proof of Lemma 0 

Proof: We use induction for this proof. Same as in 
the previous proof, let us use the following ordering on 
the states of A. For any two states s and s', s < s' if 
|RMap(s)| < |RMap(s')| or if lengths are same then AMap(s) 
is a sub formula of AMap(s'). Any two states which are not 
related by this order, put them in any order to make < as a total 
order. It is clear that the smallest state in this total order must 
be one of the accepting state. Now we are ready to proceed 
by induction using this total order. 

. Base case. By definition of the accepting state in AFA 
construction. Point [3 of Definition [T] and the self loop 
transition rule. Rule [Literal-Self- AssnI we know that 
for every word cr' e acc(s), wp(cr'[assume/assert], 
AMap(s)) = AMap(s). Rule [Base-CASe[ of Figure ISl sets 
HMap(s) same as AMap(s) for such states hence the 
statement of this lemma follows for the accepting states. 

• Induction step; we pick a state s such that one of the 
following holds, 

1) s is a universal state;By construction, there should 
be states such that (s, e, {si, •••, s^}) is 

a transition. Let cr be a word accepted by s then 
by the definition of accepting set of words of a 
universal states, cr must be accepted by each of 
By our induction ordering, sip--,Sk are 
smaller than s and hence we apply IH on them to 
get that wp(rev(cr)[assume/assert],AMap(si)) = 
HMap(si) for i € {l---fc}. Two cases arise based on 
whether 

- AMap(s) is a conjunction of AMap(si) for 

i € {l---fc}; Following Rule [C0NJ-CASE[ 

we set HMap(s) = AiHMap(si) and 

wp(rev(cr) [assume/assert], AMap(s)) 

HMap(s) then follows from the Property [T] using 
conjunction, of the weakest precondition. 

- AMap(s) is a disjunction of AMap(si) for 

i e {l---/c}; Following Rule [C0NJ-CASE[ 
we set HMap(s) = AiHMap(si) and 

wp(rev(CT) [assume/assert], AMap(s)) 

HMap(s) then follows from the Property [1] using 
disjunction, of the weakest precondition. 
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2) s is an existential state; If s is an accepting state then 
the same argument as used in the Base case holds. 
If s is not an accepting state then the only outgoing 
transition from s is of the form (s,op, {s'}). By 
rule [Literal-Assn! *). Now consider a word 
(T 6 acc(s). (T must be of the form a".op.a' where 
wp(tT"[assume/assert], AMap(s)) = AMap(s)(*) 
(because of the self transitions constructed from 
Rule ILiteral-Self-AssI^ and a' e acc(s'). 
Therefore, wp(rev(cr)[assume/assert],AMap(s)) 

=wp(rev(tT".op.tT')[assume/assert], AMap(s)) 
=wp(rev(cr'). op. rev(cr") [assume/assert], 
AMap(s)) 

=wp(rev(cr').op[assume/assert],AMap(s)) (using 

(*)) 

=wp(rev(cr') [assume/assert], 
wp(op[assume/assert], AMap(s))) (using weakest 
precondition dehnition) 

=wp(rev(tT') [assume/ assert], AMap(s') ) (using 

Transition rule ILlTERAL-AsSNb 
As a' e acc(s') this is same as HMap(s') by 
applying IH on s'. As HMap(s) is same as 
HMap(s'), as done in Rule ILit-CASeI we prove 
this case as well. 

■ 

E. Proof of Correctness of Transformation-I 

Lemma 5: Let A be an automaton constructed from a trace 
and a post condition as dehned in Definition [1] and further 
modihed by Algorithm [T] then for every state s of this AFA 
and for every word a accepted by state s, HMap(s) is logically 
equivalent to wp(rev((T)[assume/assert], AMap(s)). 

Proof: Proof of this lemma is very similar to the proof 
of Lemma |4] given in Appendix . Here we only highlight the 
changes in the proof. Note that this transformation converts 
some universal states to existential states. Let s be one such 
state that was converted from universal to existential state. Let 
(s,e,{si,'",Sfc}) was the original transition in the AFA which 
got modihed to (s, e, where are newly cre¬ 

ated universal states in Line|5]of Algorithm[T] By construction, 
HMap(s„^) is unsatishable for each of these , •••, s„„(*). Let 
cr be a word accepted by s after converting it to existential 
state. By acceptance conditions, a must be accepted by at least 
one state, say in the set By IH on we 

get wp(CT[assume/assert],AMap(su^)) = HMap(s„^)(**). 
Further, by construction AMap(s) implies AMap(su^). This 
fact, along with the monotonicity property of the weakest 
precondition. Property |2] we get that wp(cr[assume/assert], 
AMap(s)) is unsatishable and hence same as HMap(s). ■ 

F. Proof of Correctness of Transfonnation-II 

Lemma 6: Let A be an automaton constructed from a 
trace and a post condition as dehned in Dehnition [T] and 
further modihed by adding edges as discussed above then 
for every state s of this AFA and for every word cr 


accepted by state s, HMap(s) is logically equivalent to 
wp(rev(cr) [assume/assert], AMap(s)). 

Proof: As a result of adding edges in this transformation, 
we can not use the ordering among states as done for earlier 
proofs. This is because, now a transition {s,op,S) does not 
guarantee that the states in the set S are smaller then s and 
hence it will not be possible to apply IH directly. Therefore 
in this proof we apply induction on the length of cr' accepted 
by some state s. 

• Induction step; Let s e A and cr e acc(s) such that 
|cr| = m + 1. Either s e Sg or s e S'y. If s e Sg 
and cr € acc(s) then there exists a state s' such that 
(s,op, {s'}) e 6 and cr' e acc(s'), where cr = a”.op.a' 
and wp(cr"[assume/assert],AMap(s)) = AMap(s)(**). 
Based on this transition (s,op, {s'}) e i5 we have the 
following sub-cases, 

- (s,op,{s'}) was added by the this transformation 
virtue of one of the following conditions, 

x- HMap(s) and HMap(s') are unsatishable and 
wp(op[assume/assert],AMap(s)) ^ AMap(s') 
(Rule IRULE-UNSATb : By IH on cr' we have 
wp( rev(cr') [assume/assert], AMap(s')) 
is logically equivalent to HMap(s'). 

Using Property |2] (conjunction part) and 
the assumption wp(op[assume/assert], 
AMap(s)) ^ AMap(s') we get 

wp( rev(cr') [assume/assert], wp(op, AMap(s))) 
is unsatishable and same as HMap(s). 
Using (**), wp(rev(cr')[assume/assert], 

wp(op.rev(cr"),AMap(s))) is unsatishable and 
same as HMap(s). By replacing cr = a".op.a' we 
get the required proof. 

X- HMap(s) and HMap(s') are valid and 
AMap(s') ^ wp(op[assume/assert],AMap(s)) 
(Rule IRULE-VALlDb : By IH on cr' we have 
wp( rev(cr') [assume/assert], AMap(s')) is 

logically equivalent to HMap(s'). Using property 
|2] (disjunction part) and the assumption 
AMap(s') ^ wp(op[assume/assert], 
AMap(s)) we get wp(rev[assume/assert](cr'), 
wp(op[assume/assert],AMap(s))) is valid and 
same as HMap(s). Using (**) and or replacing 
cr = a".op.a' we get the required result and hence 
proved. 

- If this transition was already in 5\ we can use the 
same reasoning as used in the proof of Lemma |4] to 
show that wp(rev(cr)[assume/assert], AMap(s)) is 
logically equivalent to HMap(s) 

• If s € S'v then similar argument goes as in the proof 
of Lemma |4] because no new transition gets added from 
these states as a result of this transformation. 

■ 

G. Proof of Theorem Q] 

Proof: 
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• Let us first prove that this algorithm terminates for hnite 
state programs. For hnite state programs the number of 
possible assertions used in the construction of AFA are 
hnite and hence only a hnite number of different AFA 
are possible. It implies the termination of this algorithm. 

. Following Lemma |4] and the fact that AMap(so) = -•(j), 
every word a' accepted by this AFA, equivalently written 
as a' € acc(so), satishes wp(rev(cr')[assume/assert], 
-■0) = HMap(so)(*). By Lemma [3 and the fact that 
RMap(so) = O' we get rev(cr) € acc(so)(**)- Combining 
(**) and (*), we get wp(rev(rev((T))[assume/assert], 
^(j>) = HMap(so) or equivalently wp((T[assume/assert], 

-.0) = HMap(soi 

- If I A HMap(so) is satishable (Line |6]) then 
I A wp((7[assume/assert],-!(/)) is satishable as 
well. Following Lemma |2] we got a valid error trace 
which is returned in Line 0 

- If I A HMap(so) is unsatishable then by Lemma [T] 
this trace is provably correct. Now we apply transfor¬ 
mations of Section UlI-CI on the AFA to increase the 
set of words accepted by it. The hnal AFA is then 
reversed and subtracted from the set of executions 
seen so far. Lemma 0] ensures that for all such 
words cr' the condition X wp((T',-i(/>) holds and 
therefore none of them violate (j) starting from the 
initial state. Therefore in every iteration only correct 
set of executions are being removed from the set of 
all executions. Therefore when this loop terminates 
then all the executions have been proved as correct. 
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